[German]US vendor Cisco was the victim of a cyber attack in May 2022, in which attackers were able to penetrate the company's IT infrastructure. As of August 10, 2022, Cisco has made this attack public – also because the attackers published captured information. At the same time, Cisco Talos released some information about the attack. Apparently, the Cisco security team was aware of the attacks early on and was able to observe the attacker (Yanluowang Ransomware gang) in their activities.
I already came across the information a few hours ago – following tweet also points out the facts (cyber attack on Cisco).
What happened?
According to the Cisco post Cisco Event Response: Corporate Network Security Incident, dated August 10, 2022, the company was the victim of a cyber attack. The incident occurred months ago, as Cisco identified a security incident that targeted the company's IT infrastructure back on May 24, 2022. As a result, immediate action was taken to contain and eliminate the attackers, to be sure. But the attackers were already on the company's IT network and had access to data there.
The good news Cisco wants to communicate in its post: in addition, steps were taken to address the impact of the incident and further protect the IT environment. No ransomware was observed or deployed, and Cisco has successfully blocked attempts to access Cisco's network since the incident was discovered.
It also states that Cisco has not seen any impact of this incident on its business. This includes any impact on Cisco products or services, sensitive customer data or sensitive employee information, Cisco intellectual property or supply chain.
A social engineering attack
In this document, Cisco Talos discloses the details (this is to be commended, as this is usually left in the dark) of how the attack on the Cisco VPN was able to succeed. It states:
The initial access to the Cisco VPN was through the successful compromise of a Cisco employee's personal Google account.
The user had enabled password synchronization via Google Chrome and saved his Cisco credentials in his browser so that this information could be synchronized with his Google account. The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations, attempting to convince the victim to accept attacker-initiated push notifications for multi-factor authentication (MFA).
At some point, the attacker finally managed to get confirmation from the victim in response to countless MFA push messages, which granted him access to the VPN in the context of the target user.
After obtaining the user's credentials, the attacker attempted to bypass multifactor authentication (MFA) using a number of techniques, including voice phishing (also known as "vishing") and MFA fatigue, which is sending a large number of push requests to the target's mobile device until the user accepts them, either accidentally or simply to get peace of mind from the repeated push notifications.
Vishing is an increasingly common social engineering technique in which attackers attempt to trick employees into revealing confidential information over the phone. In this case, an employee reported receiving multiple calls over several days in which the callers – who spoke in English with various international accents and dialects – claimed to be connected to support organizations the user trusted.
After gaining initial access to the employee's Google account, the attacker enrolled a number of new devices for MFA and successfully authenticated to the Cisco VPN. The attacker then gained administrative privileges that allowed him to log into multiple systems.
This operation alerted the Cisco Security Incident Response Team (CSIRT), which subsequently responded to the incident. Analysis shows that the attacker used a number of tools in the hack. These included remote access tools such as LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz and Impacket. Using the administrator privileges and the tools, the attacker added his own backdoor accounts and persistence mechanisms to the Cisco IT network.
The threat actor performed a series of activities to maintain access to the network, minimize forensic artifacts, and expand his access to systems within the environment. He then began to search the environment, using common Windows integrated utilities to determine the system's user and group membership configuration, hostname, and identify the context of the user account under which he was operating.
Cisco Talos security teams observed the attacker periodically entering commands with typos, indicating that manual intervention was occurring in the environment. The attacker(s) used the access to the VPN through the compromised user account to log into a large number of systems. Then penetrated the Citrix environment, compromised a number of Citrix servers, and finally gained privileged access to domain controllers.
After gaining access to the domain controllers, the attacker attempted to create NTDS dumps from the domain controllers using the "ntdsutil.exe" file and a PowerShell command. The attacker then worked to transfer the collected NTDS data from the domain controller to its own system via SMB (TCP/445) using VPN. The attacker was observed to use machine accounts for privileged authentication and lateral movement in the environment after gaining access to the credential databases.
In Cisco's disclosure, it reads that Cisco security teams tracked the attacker in the system for weeks. This attacker used the access features on the Windows login screen to create a SYSTEM-level prompt that gave him complete control of the system. In several cases, security teams observed that the attacker added these keys but did not interact further with the system. It is suspected that this may have been planned as a persistence mechanism that could be used later if primary privileged access was revoked.
Throughout the attack, security teams observed attempts to exfiltrate information from the environment. Cisco confirmed that the only successful data exfiltration that occurred during the attack included the contents of a box folder associated with a compromised employee's account and the employee's authentication credentials from Active Directory. The box data that the attacker obtained in this case was not sensitive. On August 10, 2022, a list of files from this security incident was published by the attacker on the dark web.
After the security team prevented access via the VPN account for the attacker, continuous attempts to restore access could be observed in the following weeks. In most cases, the attacker was observed using weak password rotation hygiene after mandatory password resets by employees. The attacker(s) primarily targeted users who they assumed had changed their previous single-character passwords. The attacker or attackers attempted to use these credentials to authenticate and regain access to the Cisco VPN.
The attackers initially used traffic anonymization services such as Tor. However, after having limited success, they moved on to establishing new VPN sessions from the private IP space using accounts that had already been compromised in the initial phase of the attack. In responding to the attack, Cisco teams also observed the registration of several additional domains that pointed to the organization and took action before they could be used for malicious purposes.
After successfully removing the attacker from the Cisco environment, the attacker also repeatedly attempted to establish email communications with senior members of the organization. According to Cisco, however, there were no specific threats or extortion demands. One email included a screenshot showing the directory listing of Box data that had previously been exfiltrated as described above.
If interested, the details can be read in this CISCO article. A FAQ on the incident has been posted by Cisco here. The colleagues at Bleeping Computer have rehashed the incident, which originated from the Yanluowang ransomware gang and in which 2.8 GB of data was allegedly stolen, here.